WannaCry and Jaff: Two Different Malware Attacks with A Common Goal

On Friday, May 12, the Infoblox Intelligence Unit observed not one but two separate ransomware attacks — both using different distribution capabilities and malware. While the two ransomware attacks were not related, it’s becoming evident that the rise in this form of malware is growing exponentially, creating a greater need for businesses to double down on their defense mechanisms. In this particular case, even though both attacks were ransomware-based, it’s vital that organizations properly understand their differences, as the actions to remediate them require different measures.

WannaCry Hits Hard

The first attack, WannaCry, was able to ravage the network systems of over 200,000 organizations across the globe by exploiting a vulnerability found in Microsoft’s Server Message Block. Crises were quickly caused in hospitals and facilities in England’s National Health Service, as these healthcare institutions were forced to cancel non-urgent services, turn away patients and revert to backup procedures. This particular piece of malware leverages an exploit called ETERNALBLUE, which allows it to then move on to establish a backdoor known as DOUBLEPULSAR to allow for future access to the infected systems. WannaCry rapidly spreads by connecting itself to SMB services on local and internet-facing systems with the vulnerability, or by simply running the backdoor.

Upon its initial infection, WannaCry checks whether an external domain (kill switch domain) is available. If the kill switch can be contacted, the encryption function does not run. The kill switch domains are not a command-and-control server for the malware, and therefore should be monitored but not blocked. Before the attack took root on May 12, the domains were not registered; however, shortly after the attack started, a malware researcherregistered and sinkholed the first domain. By doing this, the malware was able to resolve the domain — preventing later infections. However, if left unchecked, WannaCry will encrypt most files on a machine, then begins the ransom ask at $300, raising it to $600 if a user takes too long to pay up.

Meet Jaff

While the world was preoccupied with WannaCry, there was another ransomware attack in progress called Jaff. Launched May 11 by Necurs, one of the largest botnets in the world (notorious for spreading threats such as the Locky ransomware and Dridex banking Trojan), Jaff sent misleading emails to infect its victims encouraging them to open an attached PDF. This document asks for additional permissions when opened, and, if approved, allows the delivery and execution of the ransomware payload. Although the emails used to deliver Jaff employ standard spamming techniques, the exact details vary between each of the concurrent campaigns.

Once the victim opens the email and downloads the PDF attachment, it contacts its C2 servers to communicate that encryption of the victim’s files has begun. From there, Jaff proceeds to encrypt the victim’s files, instructs them to install the Tor Browser and directs users to a specific website that displays a ransom note and payment instructions. The exact amount demanded by the ransom varies over time, but the current ask averages around two Bitcoin (about 3,500 USD).

So What Can You Do?

In the wake of these attacks, organizations need to be aware of the security measures they currently have in place, as well as what they can do moving forward.

Implement Patches In A Timely Manner: WannaCry’s reliance on a known vulnerability and network scanning indicates that some traditional defenses may be effective. However, it is absolutely crucial that organizations are ensuring timely software updates and keeping systems patched. If organizations had done so prior to the WannaCry attack, this would have limited the vulnerability and the worm’s ability to spread through that particular exploit. In the case of the Jaff ransomware, patching would not have been an effective measure.

Use Sinkholes: Unlike the typical command-and-control domains, which should be blocked, WannaCry used a kill switch domain which had to be resolved in order to avoid activating the ransomware’s encryption function. One best practice is for an enterprise to redirect its internal request for those domains to an internal sinkhole. Permitting the infected client to successfully connect to the kill switch domain will prevent the encryption function from completing - allowing it to run internally and prevent unwanted interaction with unknown internet users. This will also enable the enterprise to identify its internal hosts that have been impacted by the malware. Utilizing these internal sinkholes may also be effective for limiting command-and-control interaction such as with the Necurs botnet responsible for launching the Jaff ransomware.

Leverage DNS Response Policy Zone (RPZ) capabilities: Using RPZ capability on your organization’s DNS server to monitor any hits to the kill switch domain helps identify infected clients. For WannaCry, RPZ would’ve helped organizations identify malware infections and quickly respond to them. In the case of the Jaff ransomware, using the RPZ on your organization’s DNS server to blacklist or block connections to the Necurs command and control domains would have mitigated parts of the infection. Additionally, a spambot RPZ could be used for mailer server DNS resolution which would have helped to block some of the incoming malicious emails.

Email safety: In case of Jaff, simple email safety would’ve helped prevent the spread of Jaff. To prevent email-propagated infections like Jaff in the future: 1) Do not open email attachments from unknown senders. 2) Disable Microsoft Office document macros by default. 3) Do not allow documents to open additional files or execute macros without external confirmation (e.g. phone, in person) that the sender is valid. Further, confirm that there’s a specific reason the sender intentionally sent you a document that requires the use of those features.

Keep up-to-date threat intelligence: Across the board, organizations should leverage up-to-date and curated threat intelligence across their entire security and DNS infrastructures, in order to protect against malicious activity and DNS security breaches.

Truly understanding the differences between attacks like these and implementing best practices against both is essential for the security of any organization.

About the author: As Director of Cyber Intelligence for Infoblox, Sean Tierney leads the efforts to develop and refine threat data; delivered to customers as machine readable, actionable intelligence. His team collaborates with industry peers, Fortune 500 companies, and government agencies to identify emerging cybersecurity threats.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.